Security Worm Targets Design Documents

July 20, 2012

I thought this was an interesting article out of Dark Reading lately – “AutoCAD Worm Targets Design Documents in Possible Espionage Campaign”.

AutoCAD is a software for computer-aided design and drafting in two and three dimensional formats. it’s used extensively in R&D, and pretty much any kind of electrical/mechanical/architectural design anywhere.

A malware campaign targeting AutoCAD drawings in Peru reached at least 10,000 machines. Investigators think the malware operator(s) were trying to gather as much information as possible. A small number of infections of the worm have appeared in other countries.

The infection occurs when a victim opens an AutoCAD document with the malicious LISP code. Once the code is started, it will create copies of itself in multiple locations to spread to other systems. The worm is called ACAD/Medre.A. It is able to infect versions 14.0 to 19.2 of AutoCAD by modifying the corresponding native startup file of AutoLISP (acad.lsp) by being named as the auto-load file acad.fas.

It employs Visual Basic Scripts that are executed using the Wscript.exe interpreter that is integrated in the Windows operating system since Windows 2000.

After some configuration, ACAD/Medre.A will send the different AutoCAD drawings that are opened by email to a recipient with an email account at a Chinese internet provider.

They don’t have enough evidence at this point to say which industry was being targeted.